feat(auth): Clean-up unused auth tokens and wipe tokens

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

lib/private/Authentication/Token/PublicKeyTokenMapper.php

@@ -36,17 +36,20 @@ public function invalidate(string $token) {
 
 	/**
 	 * @param int $olderThan
-	 * @param int $remember
+	 * @param int $type
+	 * @param int|null $remember
 	 */
-	public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) {
+	public function invalidateOld(int $olderThan, int $type = IToken::TEMPORARY_TOKEN, ?int $remember = null) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$qb->delete($this->tableName)
+		$delete = $qb->delete($this->tableName)
 			->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)))
-			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)))
-			->execute();
+			->andWhere($qb->expr()->eq('type', $qb->createNamedParameter($type, IQueryBuilder::PARAM_INT)))
+			->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
+		if ($remember !== null) {
+			$delete->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT)));
+		}
+		$delete->executeStatement();
 	}
 
 	public function invalidateLastUsedBefore(string $uid, int $before): int {

lib/private/Authentication/Token/PublicKeyTokenProvider.php

@@ -281,10 +281,19 @@ public function invalidateTokenById(string $uid, int $id) {
 	public function invalidateOldTokens() {
 		$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
 		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
-		$this->mapper->invalidateOld($olderThan, OCPIToken::DO_NOT_REMEMBER);
+		$this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER);
+
 		$rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
 		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
-		$this->mapper->invalidateOld($rememberThreshold, OCPIToken::REMEMBER);
+		$this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER);
+
+		$wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60);
+		$this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']);
+		$this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN);
+
+		$authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365);
+		$this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']);
+		$this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN);
 	}
 
 	public function invalidateLastUsedBefore(string $uid, int $before): void {

tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php

@@ -56,12 +56,6 @@ protected function setUp(): void {
 		$this->hasher = \OC::$server->get(IHasher::class);
 		$this->crypto = \OC::$server->getCrypto();
 		$this->config = $this->createMock(IConfig::class);
-		$this->config->method('getSystemValueInt')
-			->willReturnMap([
-				['session_lifetime', 60 * 60 * 24, 150],
-				['remember_login_cookie_lifetime', 60 * 60 * 24 * 15, 300],
-				['token_auth_activity_update', 60, 60],
-			]);
 		$this->config->method('getSystemValue')
 			->willReturnMap([
 				['openssl', [], []],
@@ -330,20 +324,25 @@ public function testInvalidateTokenById() {
 		$this->tokenProvider->invalidateTokenById('uid', $id);
 	}
 
-	public function testInvalidateOldTokens() {
+	public function testInvalidateOldTokens(): void {
 		$defaultSessionLifetime = 60 * 60 * 24;
 		$defaultRememberMeLifetime = 60 * 60 * 24 * 15;
-		$this->config->expects($this->exactly(2))
+		$wipeTokenLifetime = 60 * 60 * 24 * 60;
+		$this->config->expects($this->exactly(4))
 			->method('getSystemValueInt')
 			->willReturnMap([
 				['session_lifetime', $defaultSessionLifetime, 150],
 				['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300],
+				['token_auth_wipe_token_retention', $wipeTokenLifetime, 500],
+				['token_auth_token_retention', 60 * 60 * 24 * 365, 800],
 			]);
-		$this->mapper->expects($this->exactly(2))
+		$this->mapper->expects($this->exactly(4))
 			->method('invalidateOld')
 			->withConsecutive(
-				[$this->time - 150],
-				[$this->time - 300]
+				[$this->time - 150, IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER],
+				[$this->time - 300, IToken::TEMPORARY_TOKEN, IToken::REMEMBER],
+				[$this->time - 500, IToken::WIPE_TOKEN, null],
+				[$this->time - 800, IToken::PERMANENT_TOKEN, null],
 			);
 
 		$this->tokenProvider->invalidateOldTokens();